ports/126356: [MAINTAINER] security/openvpn-devel: security update to 2.1_rc9 (CVE-2008-3459)
Matthias Andree
matthias.andree at gmx.de
Thu Aug 7 22:40:02 UTC 2008
>Number: 126356
>Category: ports
>Synopsis: [MAINTAINER] security/openvpn-devel: security update to 2.1_rc9 (CVE-2008-3459)
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: maintainer-update
>Submitter-Id: current-users
>Arrival-Date: Thu Aug 07 22:40:01 UTC 2008
>Closed-Date:
>Last-Modified:
>Originator: Matthias Andree
>Release: FreeBSD 6.3-STABLE i386
>Organization:
>Environment:
System: FreeBSD merlin.emma.line.org 6.3-STABLE FreeBSD 6.3-STABLE #36: Tue Jul 29 11:16:09 CEST 2008
>Description:
Changes:
- Security update to version 2.1_rc9 to fix CVE-2008-3459 (arbitrary code execution).
- VulnDB update was submitted in a previous PR.
- Add PKCS#11 option which explicitly disables PKCS11 at build time if not desired
to avoid invisible pkcs11-helper dependency, else openvpn would silently pick up
security/pkcs11-helper.
Added file:
- files/patch-update-t_cltsrv (to be forwarded to upstream maintainer, works around recent
security tightening for scripts)
Generated with FreeBSD Port Tools 0.77
>How-To-Repeat:
>Fix:
--- openvpn-devel-2.1.r9.patch begins here ---
diff -ruN --exclude=CVS /usr/ports/security/openvpn-devel/Makefile /usr/home/emma/ports/security/openvpn-devel/Makefile
--- /usr/ports/security/openvpn-devel/Makefile 2008-07-18 14:16:20.000000000 +0200
+++ /usr/home/emma/ports/security/openvpn-devel/Makefile 2008-08-08 00:18:20.000000000 +0200
@@ -6,10 +6,9 @@
#
PORTNAME= openvpn
-DISTVERSION= 2.1_rc8
-PORTREVISION= 1
+DISTVERSION= 2.1_rc9
CATEGORIES= security net
-MASTER_SITES= https://secure.openvpn.net/beta/
+MASTER_SITES= http://openvpn.net/release/
PKGNAMESUFFIX= -devel
MAINTAINER= matthias.andree at gmx.de
@@ -26,7 +25,8 @@
MAN8= openvpn.8
-OPTIONS= PW_SAVE "Interactive passwords may be read from a file" off
+OPTIONS= PW_SAVE "Interactive passwords may be read from a file" off \
+ PKCS11 "Use security/pkcs11-helper" off
USE_RC_SUBR= openvpn.sh
USE_LDCONFIG= ${PREFIX}/lib
@@ -52,6 +52,12 @@
CONFIGURE_ARGS+= --enable-password-save
.endif
+.if defined(WITH_PKCS11)
+LIB_DEPENDS+= pkcs11-helper.1:${PORTSDIR}/security/pkcs11-helper
+.else
+CONFIGURE_ARGS+= --disable-pkcs11
+.endif
+
post-patch:
@${FIND} ${WRKSRC} -name \*.orig -delete
diff -ruN --exclude=CVS /usr/ports/security/openvpn-devel/distinfo /usr/home/emma/ports/security/openvpn-devel/distinfo
--- /usr/ports/security/openvpn-devel/distinfo 2008-07-18 14:16:20.000000000 +0200
+++ /usr/home/emma/ports/security/openvpn-devel/distinfo 2008-08-07 22:57:14.000000000 +0200
@@ -1,3 +1,3 @@
-MD5 (openvpn-2.1_rc8.tar.gz) = 059dfb6e21b503687c6b4a8a1b0034ac
-SHA256 (openvpn-2.1_rc8.tar.gz) = 0c80db02ff783b23f91f230bc769aaec96bab405106829283a3b9c4702822ed0
-SIZE (openvpn-2.1_rc8.tar.gz) = 809545
+MD5 (openvpn-2.1_rc9.tar.gz) = f435e4ad43cf4323e942da570bae4951
+SHA256 (openvpn-2.1_rc9.tar.gz) = f73ec227a5fb7f4c73190e7ae52a59a4db149e8d628f22e8a0a762a58fbb424d
+SIZE (openvpn-2.1_rc9.tar.gz) = 818716
diff -ruN --exclude=CVS /usr/ports/security/openvpn-devel/files/patch-update-t_cltsrv /usr/home/emma/ports/security/openvpn-devel/files/patch-update-t_cltsrv
--- /usr/ports/security/openvpn-devel/files/patch-update-t_cltsrv 1970-01-01 01:00:00.000000000 +0100
+++ /usr/home/emma/ports/security/openvpn-devel/files/patch-update-t_cltsrv 2008-08-07 23:55:36.000000000 +0200
@@ -0,0 +1,23 @@
+--- ./t_cltsrv.sh.orig 2008-08-07 23:14:55.000000000 +0200
++++ ./t_cltsrv.sh 2008-08-07 23:53:27.000000000 +0200
+@@ -38,11 +38,13 @@
+ fi
+ ;;
+ esac
++downscript="${srcdir}/t_cltsrv-down.sh"
++test -x $downscript || chmod +x $downscript || { echo >&2 "$downscript is not executable, failing." ; exit 1 ; }
+ echo "the following test will take about two minutes..." >&2
+ set +e
+ (
+-./openvpn --cd "${srcdir}" ${addopts} --down 'echo "srv:${signal}" >&3 ; : #' --tls-exit --ping-exit 180 --config sample-config-files/loopback-server &
+-./openvpn --cd "${srcdir}" ${addopts} --down 'echo "clt:${signal}" >&3 ; : #' --tls-exit --ping-exit 180 --config sample-config-files/loopback-client
++./openvpn --script-security 2 --cd "${srcdir}" ${addopts} --setenv role srv --down "$downscript" --tls-exit --ping-exit 180 --config sample-config-files/loopback-server &
++./openvpn --script-security 2 --cd "${srcdir}" ${addopts} --setenv role clt --down "$downscript" --tls-exit --ping-exit 180 --config sample-config-files/loopback-client
+ ) 3>log.$$.signal >log.$$ 2>&1
+ e1=$?
+ wait $!
+--- ./t_cltsrv-down.sh.orig 2008-08-07 23:24:40.000000000 +0200
++++ ./t_cltsrv-down.sh 2008-08-07 23:28:40.000000000 +0200
+@@ -0,0 +1,2 @@
++#! /bin/sh
++echo "${role}:${signal}" >&3
--- openvpn-devel-2.1.r9.patch ends here ---
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-ports-bugs
mailing list